Malware in Webpages
Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; that is the basic injustice. The developers and manufacturers often exercise that power to the detriment of the users they ought to serve.
This typically takes the form of malicious functionalities.
This page lists web sites containing proprietary JavaScript programs that spy on users or mislead them. They make use of what we call the JavaScript Trap. Of course, many sites collect information that the user sends, via forms or otherwise, but here we're not talking about that.
If you know of an example that ought to be in this page but isn't here, please write to <webmasters@gnu.org> to inform us. Please include the URL of a trustworthy reference or two to serve as specific substantiation.
-
2022-04
The US government sent personal data to Facebook for every college student that applied for US government student aid. It justified this as being for a “campaign.”
The data included name, phone number and email address. This shows the agency didn't even make a handwaving attempt to anonymize the student. Not that anonymization usually does much good—but the failure to even try shows that the agency was completely blind to the issue of respecting students' privacy.
-
2020-09
The Markup investigated 80,000 popular web sites and reports on how much they snoop on users. Almost 70,000 had third-party trackers. 5,000 fingerprinted the browser to identify users. 12,000 recorded the user's mouse clicks and movements.
-
2018-11
Many web sites use JavaScript code to snoop on information that users have typed into a form but not sent, in order to learn their identity. Some are getting sued for this.
The chat facilities of some customer services use the same sort of malware to read what the user is typing before it is posted.
-
2018-07
British Airways used nonfree JavaScript on its web site to give other companies personal data on its customers.
-
2018-05
The Verify browser extension by Storyful spies on the reporters that use it.
-
2018-05
A cracker used an exploit in outdated software to inject a “miner” in web pages served to visitors. This type of malware hijacks the computer's processor to mine a cryptocurrency.
(Note that the article refers to the infected software as “content management system”. A better term would be “website revision system”.)
Since the miner was a nonfree JavaScript program, visitors wouldn't have been affected if they had used LibreJS. Some browser extensions that specifically block JavaScript miners are also available.
-
2017-12
Some JavaScript malware swipes usernames from browser-based password managers.
-
2017-11
Some websites send JavaScript code to collect all the user's input, which can then be used to reproduce the whole session.
If you use LibreJS, it will block that malicious JavaScript code.
-
2017-01
When a page uses Disqus for comments, the proprietary Disqus software loads a Facebook software package into the browser of every anonymous visitor to the page, and makes the page's URL available to Facebook.
-
2016-12
Online sales, with tracking and surveillance of customers, enables businesses to show different people different prices. Most of the tracking is done by recording interactions with servers, but proprietary software contributes.
-
2016-11
A research paper that investigated the privacy and security of 283 Android VPN apps concluded that “in spite of the promises for privacy, security, and anonymity given by the majority of VPN apps—millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps.”
Here are two examples, taken from the research paper, of proprietary VPN apps that use JavaScript to track users and infringe their privacy:
- VPN Services HotspotShield
- Injects JavaScript code into the HTML pages returned to the users. The stated purpose of the JS injection is to display ads. Uses roughly five tracking libraries. Also, it redirects the user's traffic through valueclick.com (an advertising website).
- WiFi Protector VPN
- Injects JavaScript code into HTML pages, and also uses roughly five tracking libraries. Developers of this app have confirmed that the non-premium version of the app does JavaScript injection for tracking the user and displaying ads.
-
2016-03
E-books can contain JavaScript code, and sometimes this code snoops on readers.
-
2013-10
Flash and JavaScript are used for “fingerprinting” devices to identify users.
-
2012-10
Many web sites rat their visitors to advertising networks that track users. Of the top 1000 web sites, 84% (as of 5/17/2012) fed their visitors third-party cookies, allowing other sites to track them.
-
2012-08
Many web sites report all their visitors to Google by using the Google Analytics service, which tells Google the IP address and the page that was visited.
-
[2012]
Many web sites try to collect users' address books (the user's list of other people's phone numbers or email addresses). This violates the privacy of those other people.
-
2011-10
Pages that contain “Like” buttons enable Facebook to track visitors to those pages—even users that don't have Facebook accounts.
-
2010-03
Flash Player's cookie feature helps web sites track visitors.